diff options
author | Viswanath Kraleti <vkraleti@codeaurora.org> | 2016-03-03 19:28:26 +0530 |
---|---|---|
committer | Viswanath Kraleti <vkraleti@codeaurora.org> | 2016-03-18 22:58:24 +0530 |
commit | 0a278d1a4e6ec235071c80b89ac74f8f39ae3585 (patch) | |
tree | fddb854338a39482a39bf442a40cfc5e6ca3b548 /soc/msm8916/prebuilts/sepolicy/qseecomd.te | |
parent | 6be41318afa8d4b316831d961a411b910ee853dd (diff) | |
download | qcom-0a278d1a4e6ec235071c80b89ac74f8f39ae3585.tar.gz |
msm8916: Add HW backed keymaster v1 support
Install HW backed keymaster HAL binaries into dragonboard.
Add selinux rules to run qseecom daemon.
BUG=24675146
Change-Id: I73afdeb0a46540799a594e37f3cd5926e51ae334
Signed-off-by: Sourabh Banerjee <sbanerje@codeaurora.org>
Diffstat (limited to 'soc/msm8916/prebuilts/sepolicy/qseecomd.te')
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/qseecomd.te | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/soc/msm8916/prebuilts/sepolicy/qseecomd.te b/soc/msm8916/prebuilts/sepolicy/qseecomd.te new file mode 100644 index 0000000..ef10f51 --- /dev/null +++ b/soc/msm8916/prebuilts/sepolicy/qseecomd.te @@ -0,0 +1,91 @@ +# Tee starts as root, and drops privileges +allow tee self:capability { + setuid + setgid + sys_admin + chown + sys_rawio +}; + +# Need to directly manipulate certain block devices +# for anti-rollback feature +allow tee modem_efs_partition_device:blk_file rw_file_perms; + +allow tee block_device:dir r_dir_perms; +allow tee rpmb_device:blk_file rw_file_perms; + +# Need to figure out how many scsi generic devices are preset +# before being able to identify which one is rpmb device +allow tee device:dir r_dir_perms; +allow tee sg_device:chr_file { rw_file_perms setattr }; + +# Allow qseecom to qsee folder so that listeners can create +# respective directories +allow tee data_qsee_file:dir create_dir_perms; +allow tee data_qsee_file:file create_file_perms; +allow tee system_data_file:dir r_dir_perms; + +allow tee persist_file:dir r_dir_perms; +r_dir_file(tee, persist_data_file) + +# Write to drm related pieces of persist partition +allow tee persist_drm_file:dir create_dir_perms; +allow tee persist_drm_file:file create_file_perms; + +# Provide tee access to ssd partition for HW FDE +allow tee ssd_device:blk_file rw_file_perms; + +# Allow tee to operate tee device +allow tee tee_device:chr_file rw_file_perms; + +# Allow tee to load firmware images +r_dir_file(tee, firmware_file) + +# Allow qseecom access to time domain +allow tee time_daemon:unix_stream_socket connectto; + +# Allow tee access for secure UI to work +allow tee graphics_device:dir r_dir_perms; +allow tee graphics_device:chr_file r_file_perms; + +binder_use(tee) + +allow tee system_app:unix_dgram_socket sendto; +unix_socket_connect(tee, property, init) + +# Allow qseecom access to set system property +allow tee system_prop:property_service set; + +userdebug_or_eng(` + allow tee su:unix_dgram_socket sendto; +') + +# Allow qseecom access to set system property +allow tee system_prop:property_service set; + +# Allow access to qfp-daemon +allow tee qfp-daemon_data_file:dir create_dir_perms; +allow tee qfp-daemon_data_file:file create_file_perms; + +# Provide access to block devices for MDTP +allow tee mdtp_device:blk_file rw_file_perms; +allow tee dip_device:blk_file rw_file_perms; +allow tee system_block_device:blk_file r_file_perms; + +# Provide access to QC Crypto driver for MDTP +allow tee qce_device:chr_file rw_file_perms; + +# Provide access to /data/misc/qsee/mdtp for MDTP temp files +allow tee data_qsee_file:dir create_dir_perms; +allow tee data_qsee_file:{ file fifo_file } create_file_perms; + +# Provide read access to all /system files for MDTP file-to-block-mapping +r_dir_file(tee, exec_type) +r_dir_file(tee, system_file) + +# Provide tee ability to access QMUXD/IPCRouter for QMI +qmux_socket(tee) +allow tee self:socket create_socket_perms; + +# Provide tee ability to run executables in rootfs for MDTP +allow tee rootfs:file x_file_perms; |